Hi Guys,
Hopefully something you can assist me with to stop me from ripping anymore of my hair out For the last few days, I have been trying to add our VCSA to our domain so that I can setup the SSO domain.
This is a brand new deployment - 6.0 all around. We are using the embedded VCSA with an embedded deployment. When I go to join the domain, I get the following error:
Idm client exception: Error trying to join AD, error code [11], user [Administrator@mydomain], domain [mydomain], orgUnit []
I have replaced our domain name with 'mydomain' above - any ideas?
Are you using the correct UPN in the username for the domain. I had a very similar error. It turned out to be incorrect UPN. Check if an AD object has been created. I noticed this. Since VCSA silently joins the domain, you will not get any notification for succesful join. The Join tabs remains enabled until the PSC or in your case the VCSA is rebooted. I faced this issue where the PSC had successfully joined the domain but since the join tab had not greyed out, we tried joining again and kept getting the error until we rebooted the PSC. Try these and let us know.
Login to CLI and try joining using following command,
/opt/likewise/bin/domainjoin-cli join DOMAIN.NAME.COM domain.user
When prompted provide password.
reboot VCS and you should be joined to AD
Thank for your replies.
I'm afraid still no luck - I'm getting the following error when trying to domain join through cli:
Error: Lsass Error [code 0x0000000b]
The OU format is invalid.
For confirmation, the VCSA name does include the domain in its name (vcsa@domain.com). The VCSA can ping the domain controllers by name, and vice versa. the VCSA is in the domains DNS, and a PTR is created (as per installation requirements)
Here's a screenshot of the error:
Basic question, but is the account you are using to join the server to the domain a domain admin account?
Yepp
Its the default domain administrator account in the domain (using it to make sure its not an account related issue)
Hi,
if I trust the KB article, an error similar to this should have been fixed in 5.5 U3:
So if you don't use 6.0 U1 for your deployment it may still exist in that version.
Could you check if your NetBIOS Domain name is in all capital letters. Or does it contain small letters as well (or is maybe completely in small letters).
Then that could be your issue.
Regards,
Andreas
It should be fixed in 6.0 U1. I deployed a VCSA with this version last week and our domain is entirely in small letters.
Thanks guys - I upgraded the VCSA just a few weeks ago to 6.0.0.b to see if there was any related fix, but of course there wasn't.
I'm currently downloading the upgrade pack for 6.0.0.U1 and I'll report back!
VCSA upgraded, and when I join the domain, I get a 'SUCCESS' message.
After this, I reboot the VCSA, but when it comes back up, in the web client under Settings--> Active Directory, it doesn't show any domain details, and I still have the Join option.
I tried joining the domain through the web client the first time, and using the CLI the second time, but this is till appearing this way.
Any ideas?
EDIT: Also mean to say that when I go to SSO--> users and groups, the AD domain still doesn't appear so I'm pretty certain that it hasn't actually joined the domain.
So after the reboot, when you go to Administration --> System Configuration --> Node --> Manage --> Active Directory, the domain is still not displayed?
If it does, have you added the Identity Source via Administration --> SSO / Configuration --> Identity Sources?
If so, which method did you use to add the identity source?
After the reboot, in Administration --> System Configuration --> Node --> Manage --> Active Directory, the domain is not displayed - empty fields.
Even though it is supposedly resolved, and worked fine for me, when you do the join, add the domain in all uppercase letters, and don't specific an OU.
Also check to make sure LDAP port 389 is open. I'm not sure if you would even get the SUCCESS message if it wasn't, but might be worth checking.
Port 389 is open as its in the same network as the DCs.
You can see here that I'm getting the success message (tried with the domain in upper case this time)
After a reboot, this is the domain screen - not working properly.
OK, I'll keep trying to help you research and figure out what is wrong. One question about your domain in general. Do you have a single domain in your company, or do you have multiple domains? If multiple, are they independent or is there a trust between them? If there is a trust, are you joining the domain at the highest level of the hierarchy, or one of the sub-domains?
Thanks for all your help thus far
We have a forest domain which is the parent for all child domains/countries (we split child domains by country) however, that doesn't come into anything here (be it the domain we are joining it to, or the credentials we are using to add it to the child)
We are trying to add this VCSA to the child domain for the particular country that it sits in, and we are using the default Administrator account credentials of that specific child domain.
Can you try to add it to the parent domain as a test?
I went back in to follow your suggestion, and the domain is now appearing in there! This makes no sense!
Anyway - biggest problem solved so thanks very much
One query I have - The VCSA has joined the sub domain. In SSO --> Configuration --> Identity sources, I selected Active Directory (Integrated Windows Authentication) and selected to use the machine account. The box automatically fills with the child domain, but then once its added, it displays the parent domain. Is this correct?
I'm asking this because when I then go to Access Control --> Global Permissions --> Manage, then select the parent domain to add user permissions for the parent, I get an error message saying 'Cannot load users for the selected domain'.
If the VCSA is in a child domain, and the administrator users are in the parent domain, whats the best way to get them added to the VCSA? We do have a group within the child domain, containing all users from the parent domain, but adding this doesn't seem to work.
One query I have - The VCSA has joined the sub domain. In SSO --> Configuration --> Identity sources, I selected Active Directory (Integrated Windows Authentication) and selected to use the machine account. The box automatically fills with the child domain, but then once its added, it displays the parent domain. Is this correct?
I would say yes, my experience with this type of domain set up resulted in the same thing. Since you joined it to the parent domain, but used an account that is tied to the sub-domain (I presume) and/or pointing at a domain controller in the sub-domain. This shouldn't be an issue.
I'm asking this because when I then go to Access Control --> Global Permissions --> Manage, then select the parent domain to add user permissions for the parent, I get an error message saying 'Cannot load users for the selected domain'.
I am not an AD person, but my guess is that the trust between the domains is not set up properly. I would add the identity source as "AD as an LDAP Server", rather than integrated. You could also add the sub-domain as a separate identity source. You shouldn't have to, but I have done this with success when dealing with our AD team brought no positive results.
If the VCSA is in a child domain, and the administrator users are in the parent domain, whats the best way to get them added to the VCSA? We do have a group within the child domain, containing all users from the parent domain, but adding this doesn't seem to work.
Doing the above should resolve this.